ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 288 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 288
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company stores sensitive documents in Amazon S3 by using server-side encryption with an AWS Key Management Service (AWS KMS) CMK. A new requirement mandates that the CMK that is used for these documents can be used only for S3 actions.
Which statement should the company add to the key policy to meet this requirement?
A.

B.

C.

D.

Show Suggested Answer Hide Answer
Suggested Answer: B
by dumma at Aug. 26, 2021, 12:29 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
hk436
Highly Voted 3 years, 8 months ago
C is my answer, Deny all KMS Actions, if the call is not from via service S3.
upvoted 17 times
vikaswalajay
2 years, 9 months ago
correct
upvoted 1 times
...
...
Raphaello
Most Recent 1 year, 4 months ago
C is the correct answer Deny all KMS actions (on specific key), if it is not via service S3.
upvoted 1 times
...
M2ao
1 year, 9 months ago
Answer C
upvoted 1 times
...
Toptip
2 years, 1 month ago
C - viaService used for such scenario
upvoted 1 times
...
createchange
2 years, 4 months ago
Why oh why are so many answers incorrect. And then you have this one, where you can't even vote on the correct answer, so you must view the comments to confirm. It's C.
upvoted 1 times
...
D2
2 years, 7 months ago
Answer C
upvoted 3 times
...
vikaswalajay
2 years, 9 months ago
c is correct
upvoted 1 times
...
vikaswalajay
2 years, 9 months ago
c is correct
upvoted 1 times
...
sapien45
2 years, 10 months ago
It’s also possible to constrain a CMK so that it can only be used by specific AWS services through the use of the kms:ViaService conditional statement within the CMK key policy. C
upvoted 2 times
...
MDJago
2 years, 11 months ago
C is the correct answer https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf check page 4 of the link
upvoted 1 times
...
jackfei
3 years ago
Yes, C is right answer
upvoted 1 times
...
Jonfernz
3 years, 1 month ago
C! Deny all KMS action unless the call is via service s3.
upvoted 1 times
...
sam_live
3 years, 5 months ago
C is the only plausible option.
upvoted 3 times
...
roger8978
3 years, 6 months ago
The question says that KMS needs to restricted i.e., will deny KMS (that removes B & D). kms:CallerAccount is a single value with an account ID. this eliminates A. C is the correct answer. https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service
upvoted 3 times
...
1awssec
3 years, 8 months ago
C (for s3.AWS_region.amazonaws.com) > https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html
upvoted 2 times
...
kiev
3 years, 8 months ago
C for me. We can restrict KMS with service condition and see policy is written correctly to only work on S3 actions.
upvoted 4 times
...
TollaMS
3 years, 8 months ago
D looks right https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
upvoted 1 times
babaseun
3 years, 8 months ago
The answer is C.......https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel